Identity Server Module
This module provides integration and management functionality for Identity Server;
- Built on the IdentityServer4 library.
- Manage Clients, Identity resources and API resources in the system.
- Set permissions for clients.
- Create standard identity resources (like role, profile) easily.
- Create custom identity resources.
- Manage API resources
See the module description page for an overview of the module features.
How to Install
Identity Server is pre-installed in the startup templates. So, no need to manually install it.
Packages
This module follows the module development best practices guide and consists of several NuGet and NPM packages. See the guide if you want to understand the packages and relations between them.
You can visit Identity module package list page to see list of packages related with this module.
User Interface
Menu Items
Identity Server module adds the following items to the "Main" menu, under the "Administration" menu item:
- Clients: Client management page.
- Identity resources: Identity resource management page.
- API resources: API resource management page.
AbpIdentityServerMenuNames
class has the constants for the menu item names.
Pages
Client Management
Clients page is used to manage Identity Server clients. A client represent applications that can request tokens from your Identity Server.
You can create new clients or edit existing clients in this page:
Identity Resource Management
Identity resource page is used to manage identity resources of Identity Server. Identity resources are data like user ID, name, or email address of a user.
You can create a new identity resource or edit an existing identity resource in this page:
This page allows creating standard identity resources (role, profile, phone, openid, email and address) using "Create standard resources" button.
API Resource Management
Identity Server module allows to manage API resources. To allow clients to request access tokens for APIs, you need to define API resources.
You can create a new API resource or edit an existing API resource in this page:
Data Seed
This module adds some initial data (see the data seed system) to the database when you run the .DbMigrator
application:
- Creates standard identity resources which are role, profile, phone, openid, email and address.
You can delete or edit created standard identity resources in the identity resource management page. You can also re-create standard identity resources in the identity resource management page using "Create standard resources" button.
Options
AbpIdentityServerBuilderOptions
AbpIdentityServerBuilderOptions
can be configured in PreConfigureServices
method of your Identity Server module. Example:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
PreConfigure<AbpIdentityServerBuilderOptions>(builder =>
{
//Set options here...
});
}
AbpIdentityServerBuilderOptions
properties:
UpdateJwtSecurityTokenHandlerDefaultInboundClaimTypeMap
(default: true): UpdatesJwtSecurityTokenHandler.DefaultInboundClaimTypeMap
to be compatible with Identity Server claims.UpdateAbpClaimTypes
(default: true): UpdatesAbpClaimTypes
to be compatible with identity server claims.IntegrateToAspNetIdentity
(default: true): Integrate to ASP.NET Identity.AddDeveloperSigningCredential
(default: true): Set false to suppress AddDeveloperSigningCredential() call on the IIdentityServerBuilder.
IIdentityServerBuilder
can be configured in PreConfigureServices
method of your Identity Server module. Example:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
PreConfigure<IIdentityServerBuilder>(builder =>
{
builder.AddSigningCredential(...);
});
}
Internals
Domain Layer
Aggregates
This module follows the Entity Best Practices & Conventions guide.
ApiResource
API Resources are needed for allowing clients to request access tokens.
ApiResource
(aggregate root): Represents an API resource in the system.ApiSecret
(collection): secrets of the API resource.ApiScope
(collection): scopes of the API resource.ApiResourceClaim
(collection): claims of the API resource.
Client
Clients represent applications that can request tokens from your Identity Server.
Client
(aggregate root): Represents an Identity Server client application.ClientScope
(collection): Scopes of the client.ClientSecret
(collection): Secrets of the client.ClientGrantType
(collection): Grant types of the client.ClientCorsOrigin
(collection): CORS origins of the client.ClientRedirectUri
(collection): redirect URIs of the client.ClientPostLogoutRedirectUri
(collection): Logout redirect URIs of the client.ClientIdPRestriction
(collection): Provider restrictions of the client.ClientClaim
(collection): Claims of the client.ClientProperty
(collection): Custom properties of the client.
PersistedGrant
Persisted Grants stores AuthorizationCodes, RefreshTokens and UserConsent.
PersistedGrant
(aggregate root): Represents PersistedGrant for identity server.
IdentityResource
Identity resources are data like user ID, name, or email address of a user.
IdentityResource
(aggregate root): Represents and Identity Server identity resource.IdentityClaim
(collection): Claims of identity resource.
Repositories
This module follows the Repository Best Practices & Conventions guide.
Following custom repositories are defined for this module:
IApiResourceRepository
IClientRepository
IPersistentGrantRepository
IIdentityResourceRepository
Domain Services
This module follows the Domain Services Best Practices & Conventions guide.
Identity Server module doesn't contain any domain service but overrides services below;
AbpProfileService
(Used whenAbpIdentityServerBuilderOptions.IntegrateToAspNetIdentity
is true)AbpClaimsService
AbpCorsPolicyService
Settings
This module doesn't define any settings.
Application Layer
Application Services
ApiResourceAppService
(implementsIApiResourceAppService
): Implements the use cases of the API resource management UI.IdentityServerClaimTypeAppService
(implementIIdentityServerClaimTypeAppService
): Used to get list of claims.ApiResourceAppService
(implementsIApiResourceAppService
): Implements the use cases of the API resource management UI.IdentityResourceAppService
(implementsIIdentityResourceAppService
): Implements the use cases of the Identity resource management UI.
Database Providers
Common
Table/Collection Prefix & Schema
All tables/collections use the IdentityServer
prefix by default. Set static properties on the AbpIdentityServerDbProperties
class if you need to change the table prefix or set a schema name (if supported by your database provider).
Connection String
This module uses AbpIdentityServer
for the connection string name. If you don't define a connection string with this name, it fallbacks to the Default
connection string.
See the connection strings documentation for details.
Entity Framework Core
Tables
- IdentityServerApiResources
- IdentityServerApiSecrets
- IdentityServerApiScopes
- IdentityServerApiScopeClaims
- IdentityServerApiClaims
- IdentityServerClients
- IdentityServerClientScopes
- IdentityServerClientSecrets
- IdentityServerClientGrantTypes
- IdentityServerClientCorsOrigins
- IdentityServerClientRedirectUris
- IdentityServerClientPostLogoutRedirectUris
- IdentityServerClientIdPRestrictions
- IdentityServerClientClaims
- IdentityServerClientProperties
- IdentityServerPersistedGrants
- IdentityServerIdentityResources
- IdentityServerIdentityClaims
MongoDB
Collections
- IdentityServerApiResources
- IdentityServerClients
- IdentityServerPersistedGrants
- IdentityServerIdentityResources
Permissions
See the AbpIdentityServerPermissions
class members for all permissions defined for this module.
Angular UI
Installation
In order to configure the application to use the IdentityServerModule
, you first need to import IdentityServerConfigModule
from @volo/abp.ng.identity-server/config
to root module. IdentityServerConfigModule
has a static forRoot
method which you should call for a proper configuration.
// app.module.ts
import { IdentityServerConfigModule } from '@volo/abp.ng.identity-server/config';
@NgModule({
imports: [
// other imports
IdentityServerConfigModule.forRoot(),
// other imports
],
// ...
})
export class AppModule {}
The IdentityServerModule
should be imported and lazy-loaded in your routing module. It has a static forLazy
method for configuration. Available options are listed below. It is available for import from @volo/abp.ng.identity-server
.
// app-routing.module.ts
const routes: Routes = [
// other route definitions
{
path: 'identity-server',
loadChildren: () =>
import('@volo/abp.ng.identity-server').then(m => m.IdentityServerModule.forLazy(/* options here */)),
},
];
@NgModule(/* AppRoutingModule metadata */)
export class AppRoutingModule {}
If you have generated your project via the startup template, you do not have to do anything, because it already has both
IdentityServerConfigModule
andIdentityServerModule
.
Options
You can modify the look and behavior of the module pages by passing the following options to IdentityServerModule.forLazy
static method:
- entityActionContributors: Changes grid actions. Please check Entity Action Extensions for Angular for details.
- toolbarActionContributors: Changes page toolbar. Please check Page Toolbar Extensions for Angular for details.
- entityPropContributors: Changes table columns. Please check Data Table Column Extensions for Angular for details.
- createFormPropContributors: Changes create form fields. Please check Dynamic Form Extensions for Angular for details.
- editFormPropContributors: Changes create form fields. Please check Dynamic Form Extensions for Angular for details.
Services
The @volo/abp.ng.identity-server
package exports the following services which cover HTTP requests to counterpart APIs:
- IdentityServerService: Covers several methods that performing HTTP calls for
Clients
,Identity Resources
, andApi Resources
pages.
IdentityServerModule Replaceable Components
eIdentityServerComponents
enum provides all replaceable component keys. It is available for import from @volo/abp.ng.identity-server
.
Please check Component Replacement document for details.
Remote Endpoint URL
The Identity Server module remote endpoint URL can be configured in the environment files.
export const environment = {
// other configurations
apis: {
default: {
url: 'default url here',
},
AbpIdentityServer: {
url: 'Identity Server remote url here'
}
// other api configurations
},
};
The Identity Server module remote URL configuration shown above is optional. If you don't set a URL, the default.url
will be used as fallback.
Distributed Events
This module defines events for Client
aggregate and ClientCorsOrigin
entity. When a Client
or ClientCorsOrigin
changes, AllowedCorsOriginsCacheItemInvalidator
invalidates the cache for AllowedCorsOriginsCacheItem
. See the standard distributed events for more information about distributed events.